Archive for the ‘Encryption’ Category



UK Uses Encryption Controls To Prevent Export of FinSpy Trojan

Posted by Clif Burns at 6:33 pm on September 12, 2012
Category: EncryptionForeign Export Controls

Gamma International HQ
ABOVE: Gamma International
headquarters in Andover, UK

Bloomberg News reported yesterday that the U.K. has imposed export controls on Gamma International’s FinFisher software. FinFisher is commercial trojan software that can take over computers and mobile phones and which the company has marketed to foreign governments anxious to keep really, really close tabs on political dissidents. Reporters and privacy groups have uncovered evidence recently that the nice folks in Bahrain were using this software against political dissidents in that country.

Of particular interest is the rational used by the U.K. to assert export controls over the software. According to a letter sent by the U.K. government, the software required an export license because it uses cryptographic functionality covered by Category 5, Part 2 of the E.U.’s Dual Use Control List:

The Secretary of State, having carried out an assessment of the FinSpy system to which your letter specifically refers, has advised Gamma International that the system does require a licence to export to all destinations outside the EU under Category 5, Part 2 (‘Information Security’) of Annex I to the Dual-Use Regulation. This is because it is designed to use controlled cryptography and therefore falls within the scope of Annex I to the Dual-Use Regulation. The Secretary of State also understands that other products in the Finfisher [sic] portfolio could be controlled for export in the same way.

Of course, the interesting question here is whether the similar controls placed on encryption in Category 5, Part 2 of the Commerce Control List would require an export license if a U.S. company wanted to export similar trojan software for surveillance purposes. More particularly, the issue is whether under License Exception ENC a U.S. company could self-classify the item and export it without license if it had previously registered and received an Encryption Registration Number. It seems to me that it could not because the software at issue falls within 740.17(b)(2)(i)(C)(3) which excludes from self-classification items that have been designed for government end users. It is abundantly clear that Gamma International only sells this trojan software to government end users. Nevertheless, items in this category can be exported immediately upon filing a classification request to countries outside those listed in Supplement 3 to Part 740, e.g., most NATO countries as well as Japan, Switzerland, Malta, Australia and New Zealand. Licenses would be required, however, for exporting the software to countries outside those listed in Supplement 3. The U.K. will apparently require licenses to all destinations.

An additional control on such software in the United States could be found in ECCN 5D980 which controls software “primarily useful for the surreptitious interception of wire, oral, and electronic communications.” However, at least under current policy licenses to export such software to government agencies in countries other than Cuba, Iran, North Korea, Sudan, and Syria are generally approved. Whether that policy will hold given the current publicity over the use of FinFisher by oppressive regimes is another matter.

Permalink Comments (2)

Bookmark and Share



Obama Hints at Specific Export Reforms

Posted by Clif Burns at 8:30 pm on March 15, 2010
Category: BISDDTCDeemed ExportsEncryption

BlackberryLast week, in his speech before the Ex-Im Bank, President Obama provided some details about the specific export control reforms which might be in the offing. The first relates to our ludicrously archaic and burdensome system of encryption controls. Obama promised to streamline the review process for “products with encryption capabilities like cell phone and network storage devices.” He promised to cut the review process required before exporting such devices from 30 days to 30 minutes. While a welcome change, even 30 minutes is too much. The U.S. should acknowledge the widespread availability of commercial encryption outside the U.S. and deregulate exports of all encryption products other than military encryption.

Second, Obama promised reform in a somewhat obscure area of export law mostly known to export control junkies and geeks:

And second, we’re going to eliminate unnecessary obstacles for exporting products to companies with dual-national and third-country-national employees. Currently, our exporters and foreign consumers of these goods have to comply with two different, conflicting set of standards. They’re running on two tracks, when they could be running just on one. So we’re moving towards harmonizing those standards

What Obama is referring to here is the conflict between the standards applied by the State Department and the Commerce Department on “deemed exports.” Under the deemed export rules, exports of technology are deemed to be exports to the country of which the recipient is considered a national.

Under Commerce’s deemed export rules, an export to a foreigner with multiple citizenships or countries of permanent residencies is considered an export to the country of the most recently acquired citizenship or permanent residency. Under State Department rules, the export is considered to be an export to each of the countries — with the most restrictive licensing policy applied.

Obama doesn’t say which of these conflicting rules will yield to the other as they are “harmonized.” We can only hope that the Commerce rules will prevail.

Permalink Comments (2)

Bookmark and Share